Hi everyone - I have a question on user roles. I’m not a developer so please bear with me if some of these are basic!
I have a freemium, subscription-based web app. To manage the access levels (free and full), we use a user role within Auth0. Once the user’s subscription expires, the “full” user role is deleted. At that point, their access should revert to the basic “free” tier.
The problem I’m running into is that even if the user role is deleted, they still have full access. For the access level to update, they have to log out, then log back in again. In theory, this means people could access my “full” tool for months without paying, as long as they didn’t log out.
My developers are saying that Auth0 can’t force logouts, which makes sense. But is there something else that can be done to avoid this issue? I feel like this is pretty basic functionality, so if there’s something obvious that me or my developers are missing, I’d love to hear about it.
An access token defines what resources a user can access. These tokens cannot be revoked once issued, and only become invalid once they expire.
For example, a token that was issued with a 30 day lifetime would allow a user to access those resources for 30 days, regardless to what changes you made to their permissions/roles or profile.
In order to solve for more immediate changes, we recommend shortening access token lifetimes. A 5 minute lifetime would mean that a new token (with updated permissions/roles) must be requested after 5 minutes. This means that any changes to user data will be reflected within 5 minutes of the changes being made.
Forcing logout does not invalidate the existing token, and a savvy user could easily hold on to that token, even if they were forced to log out and request a new token. This is why you should use a short token lifetime, vs. forcing logout.